Data breaches require considerable time and resources to resolve. The damage can be extensive, from financial costs and operational downtime to untold reputational harm, while the shift to remote working has exposed new vulnerabilities too.
With such wide-ranging consequences it pays to be prepared but according to latest Experian research, only 19% of firms strongly agreed they were prepared to respond to a data breach caused by their remote workforce.
Even businesses that believe they are well prepared are likely to have blind spots. They underestimate the difficulty of recovering from a breach, the complexity of notifying customers, managing communication channels, notifying regulators, and executing a raft of essential decisions to mitigate risks and minimise business impact.
Organisations tend to focus on prevention – investing in IT systems and software to minimise the risk of an attack. But few go further and prepare for the response required should a breach occur. Cyber-attacks can happen at any time to any business of any size.
Businesses also face so many competing priorities, and particularly in the Covid-19 era, it can be difficult to find the time and resources to dedicate to data breach response planning.
Why prepare for a data breach?
Preparing for a data breach means you are ready to respond immediately.
Your business will have a greater appreciation of the decisions that need to be made. Many of these and the thinking behind them can be done in advance. That will take the pressure off when you’re in a stressful crisis recovery situation. You will know who to consult from legal and insurance teams to crisis PR and response specialists – and how to report to regulators.
What steps should businesses take now?
The first step is to examine the data you hold on customers and employees. Under GDPR, the minimum you must do is notify data subjects if they are deemed to be at high risk of identity theft, as well as notifying the regulator.
We have seen in the last 18 months that companies need to review the data they hold on their customers. We often see duplication of records and joint account names which need to be split into individual data subjects. Mortality and address checks are particularly relevant especially in the current climate.
How would you notify those people whose data is potentially compromised?
Historically, especially in the UK and the EU most companies would choose to manage and send out letter or email notifications themselves, to those people whose data had been potentially compromised. This in part was due to cost, but overwhelmingly this was a result of not wanting to send more personal data to a 3rd party to distribute notification communications.
In these changing times however, more companies are coming to specialist providers like Experian for advice and access to our readiness and response services. We are also finding companies are questioning what communication channels they should use in the event of a data breach and how this affects wider communication plans to media and stakeholders.
Email communication has by far been the most popular distribution channel by companies. This is mainly due to cost effectiveness and speed. We have seen, however, especially during the last 18 months, that people are being bombarded by phishing emails and are to a degree viewing any unexpected email with a high degree of suspicion.
Postal communications have increased, as these are viewed with a greater degree of consumer confidence. These including URLs to monitoring sites seem to be trusted to a higher extent rather than a hyperlink on an email. In the event of a data breach, companies are also starting to use microsites to provide further information about the incident rather than their main site, to reduce traffic, adding live agent or chatbot capability through companies like Experian to further reassure their customers and employees.
It is not always the first thing you think of when preparing your response but having call centre support at the ready is one area that you will be thankful you did resource in advance.
Those organisations who have a large number of customers or employees will want to scale up their resources to meet the incoming demand for advice and reassurance.
The question is how quickly could you find this resource, and would you be able to manage the volume of callers you anticipate? Could you provide multi-lingual capabilities, if needed? Could you confidently manage the potentially challenging conversations that will undoubtedly start to unfold?
These changes in approach have caused many more clients to contact us in respect of pre-breach readiness services where they are looking at their contact data estate, communications channels, as well as for managing larger volumes of customers they need to communicate quickly and effectively with, but also manage the follow up of inbound communications.